OT security: what is it and should we be worried?
Barely a day goes by without some form of cyber attack hitting the headlines – no small feat in a time of a deadly global pandemic.
While the majority of attacks have targeted organisations’ IT processes, experts agree it’s only a matter of time before hackers set their sights on the operational technology (OT) that controls our nation’s critical infrastructure, be it the water we drink and food we eat, the power we need to heat our home or train we catch to work.
The consequences can be deadly and location and size are no protection. Attacks on energy grids worldwide have become increasingly commonplace since a cyber security breach in the Ukraine knocked out power to a quarter of a million of residents, and even small water utilities are on notice after an attempted poisoning of 15,000 US citizens in Oldsmar, Florida, in February.
The Australian government’s response to this heightened threat landscape includes new legislation focused on protecting critical infrastructure assets through more stringent security obligations across a broader range of industry sectors, comprising risk management programs, mandatory cyber incident reporting and enhanced cyber security obligations for assets of national significance.
And yet, OT continues to fly under the radar, even within industries that rely on it for their day-to-day operations. So, it’s worth a deeper dive to learn a more about OT and its far-reaching impacts.
What is OT?
At its most basic, operational technology is defined as software and hardware that monitors and controls physical devices. As such, OT is most common in industrial control systems (ICS), such as SCADA systems, and in sectors heavily reliant on machinery, including mining, manufacturing, transport, energy, construction, water and waste.
Given the special purpose of these OT environments, the physical assets are designed to have an extended lifecycle and be in production for decades. And while such longevity drives cost efficiencies, it can come at a bigger financial impost, with legacy systems more vulnerable to attack due to infrequent upgrades and replacements, and security upgrades often overlooked due to concerns about extended downtimes.
The shift to automate industrial networks has also provided an additional pathway for hackers. Where IT and OT environments were once largely segmented, the rise of the Internet of Things (IoT) has seen the convergence of information and operational technologies, taking assets and processes not typically connected to the internet – assembly lines, temperature sensors, emergency shutdowns – and moving them online.
While this has been good for productivity, it’s also been good for threat actors who can more easily infiltrate OT systems by compromising the organisation’s IT network, a possibility made even easier since the shift to people working remotely.
Every organisation should know its security posture, be it a manufacturing business with 20 employees or 500 employees.
While each organisation’s OT environment is unique and requires a tailored security response, the journey to improving security maturity starts with the same questions:
· What is our current security posture?
· Who is most likely to target our organisation?
· What infrastructure is most likely to be targeted?
· What are the likely outcomes of an attack on each part of our infrastructure?
OT security specialists are expert in threat modelling to answer these questions and to identify security gaps in ICS management systems, and advising on international best practice standards and new industry-specific domestic legislative requirements, set to take effect from July. They can also help organisations to monitor and respond to ongoing threats, and determine budget to meet security needs.
OT risks and responsibilities
Any organisation still in doubt that OT should be a central to its strategic planning might wish to rethink its position in light of reform options to be considered as part of the government’s Cyber Security Strategy 2020, with specific reference to “duties for company directors and other entities”. Those in the know speculate this will involve rules similar to those imposed by the Australian Prudential Regulation Authority on the financial industry, making boards, senior management, governing bodies and individuals directly responsible for implementing controls to protect information assets.
The increasing emergence of cyber attacks as a probable risk to business operations means oversight of cyber security should now be weighted equally with issues of governance and financial reporting, particularly for companies reliant on OT systems, which includes many of the ASX 200.
Businesses with frameworks in place to address OT security not only protect themselves and their employees, but also the wider community reliant on our nation’s essential services.
Contact Secolve to learn more about your OT cyber security needs.